What is a true cloud SIEM solution?
It’s important to state that simply offering a SIEM as a SaaS solution does not make it a next-gen SIEM. Many legacy SIEM vendors have just lifted and shifted their old, inefficient architectures to the cloud and are delivering it as a SaaS offering. Running a legacy SIEM in the cloud yields high cloud infrastructure costs that organizations must bear. Beyond cost, security teams forced to use a legacy SIEM as a SaaS solution also will have to deal with a dearth of hot, searchable data and slow search performance at scale. Not exactly a recipe for success.
A good sniff test of whether a SIEM is truly cloud-native and SaaS is to see if it is offered as an on-prem, self-hosted solution. If it is offered for on-prem operation, it is almost certainly not a next-gen SIEM. Even if you can self-manage it in your private cloud, buyer beware. Usually any self-hosted solution, even in your own managed Amazon Web Services (AWS) or another cloud environment, is not a next-gen solution because it relies on you to make sure it scales out appropriately. Like most modern, cutting-edge technologies, a next-gen SIEM is a complete SaaS offering.
So how do Splunk Cloud, Sumo Logic, and Devo compare in their cloud SIEM offerings?
- Splunk Cloud: Splunk is not a cloud-native SaaS solution. It was designed as an on-prem solution that the company later moved to the cloud. While its SaaS solution—Splunk Cloud—is growing, it is a lifted-and-shifted architecture.
- Sumo Logic: Sumo Logic is a cloud-native SaaS solution. Built on AWS, Sumo Logic was designed to live in the cloud and overcome many of the challenges of on-prem solutions. Sumo can only be deployed in AWS, and only in certain availability zones.
- Devo: Devo is a fully managed SaaS solution born in the cloud to handle the multi-terabyte needs of today’s data age. As of this writing (June 2021), it is available in AWS. It fully supports ingesting data from multi-cloud and hybrid cloud environments.